Date: Sun, 17 Jul 2011 18:24:34 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Subject: [openwall-announce] crypt_blowfish 1.2; tcb 1.1
Hi,
crypt_blowfish is an implementation of a decent password hashing method
provided via the crypt(3) and a reentrant interface.
I've just released crypt_blowfish 1.2:
http://www.openwall.com/crypt/
To provide for better upgrade strategies from pre-1.1 versions of
crypt_blowfish with the sign extension bug (documented previously), this
version adds support for the "$2y$" prefix (which guarantees correct
handling of both 7- and 8-bit characters as in OpenBSD's "$2a$") and a
countermeasure to avoid one-correct to many-buggy hash collisions with
the "$2a$" prefix.
Other changes include improvements to the "make check" tests and to the
runtime quick self-test, addition of a patch for glibc 2.13 and 2.14,
and documentation updates.
I'd like to thank Ludwig Nussel of SUSE for his helpful feedback on
development snapshots leading to this release.
At the same time, I've also released a new version of tcb -
implementation of our alternative password shadowing scheme. The only
change in tcb 1.1 since the previous release is that it will now use the
new "$2y$" hash encoding prefix by default, instead of "$2a$":
http://www.openwall.com/tcb/http://www.openwall.com/tcb/ChangeLog
Obviously, both of these updates are already in Owl-current, along with
relevant changes to the pam and shadow-utils packages. The
CHANGES-current entry on the glibc/crypt_blowfish fix has been revised
accordingly:
http://www.openwall.com/Owl/CHANGES-current.shtml
Besides the source code updates, currently available are binary builds
of the updated Owl-current packages for i686. Builds for x86_64 and
similar changes in Owl 3.0-stable will be made available later.
Alexander